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DETAILED ACTION 



1. 



The response of 1 1/03/08 was received and considered. 



2. 



Claims 2 and 18 liave been amended. 



3. 



Claims 2-14 and 16-21 are pending. 



Response to Arguments 



4. Applicant's arguments filed 1 1/03/08 have been fully considered but they are not 
persuasive. 

5. Applicant argues the Rowland reference. Applicant explains the Rowland 
reference however Applicant's arguments fail to comply with 37 CFR 1 .1 1 1 (b) because 
they amount to a general allegation that the claims define a patentable invention without 
specifically pointing out how the language of the claims patentably distinguishes them 
from the references. Also, Applicant's arguments do not comply with 37 CFR 1 .111 (c) 
because they do not clearly point out the patentable novelty which he or she thinks the 
claims present in view of the state of the art disclosed by the references cited or the 
objections made. Further, they do not show how the amendments avoid such 
references or objections. 

6. Applicant argues the Baker reference, stating "Baker nowhere suggests that 
pattern analysis is conducted by multiple agents in a network so that patterns of 
suspicious activities at different ports of the computer network may be determined." 
The examiner respectfully disagrees. Baker discloses analyzing means of other agents 
to identify similar patterns of suspicious activity in different portions of the computer 
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network (figs. 2 & 3 and associated text, and col. 5, lines 29-45, disclose intrusion 
detection pattern analysis performed by a network node (fig. 2) and performed by a host 
node (fig. 3), looks for patterns of misuse, patterns can be as simple as an attempt to 
access a specific port on a specific host or as complex as sequences of operations 
distributed across multiple hosts). It would have been obvious to one of ordinary skill in 
the art at the time the invention was made to modify the system of Rowland with the 
system of Baker to compare the results of the pattern analysis to the results of pattern 
matching by analyzing means of other agents to identify similar patterns of suspicious 
active in different portions of the computer network in order to determine if a specific 
node can be trusted, as taught by Baker, (col. 5, lines 10-14). Additionally, in response 
to applicant's argument that the references fail to show certain features of applicant's 
invention, it is noted that the features upon which applicant relies (i.e., multiple agents) 
are not recited in the rejected claim(s). Although the claims are interpreted in light of 
the specification, limitations from the specification are not read into the claims. See In 
re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). 

Claim Rejections - 35 USC § 103 

7. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or deschbed as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 
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8. Claims 2-14 and 16-21 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Rowland, US Patent 6,405,318 and further in view of Baker, US 
Patent 6,775,657. 

Regarding claim 2, Rowland discloses a system that detects the state of a computer 
network, comprising: agents/host local controller (fig. 9, #151-153) disposed in said 
computer network, each said agent/host local controller, comprising: 
data collection means/intrusion detection system (fig. 1)for passively collecting, 
monitoring, and aggregating data representative of activities of respective nodes within 
said computer network (log file auditing, fig. 2, and col. 2 lines 40-47); 
means responsive to the data from the data collection means for analyzing said data to 
develop activity models (user profile data or signatures) representative of activities of 
said network in a normal state and activities of said network in an abnormal state; and 
means for comparing collected data to said activity models to determine the state of 
said computer network at different times and to dynamically update said activity models 
(col. 2, lines 40-67 and fig. 2), wherein said analyzing means performs a pattern 
analysis on the collected data (fig. 3, #34 and associated text, compares known attack 
patterns) said comparing means compares the results of the pattern analysis of data 
collected by an agent to the results of pattern analysis of data collected by analyzing 
means of other agents (fig. 8 and fig. 9, col. 7, line 55-col. 8, line 23). Rowland lacks or 
does not expressly disclose analyzing means of other agents to identify similar patterns 
of suspicious activity in different portions of the computer network. However, Baker 
discloses analyzing means of other agents to identify similar patterns of suspicious 
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activity in different portions of the computer network (figs. 2 & 3 and associated text, 
and col. 5, lines 29-45, disclose intrusion detection pattern analysis performed by a 
network node and performed by a host node, looks for patterns of misuse, patterns can 
be as simple as an attempt to access a specific port on a specific host or as complex as 
sequences of operations distributed across multiple hosts). It would have been obvious 
to one of ordinary skill in the art at the time the invention was made to modify the 
system of Rowland with the system of Baker to compare the results of the pattern 
analysis to the results of pattern matching by analyzing means of other agents to 
identify similar patterns of suspicious active in different portions of the computer network 
in order to determine if a specific node can be trusted, as taught by Baker, (col. 5, lines 
10-14). 

Regarding claim 3, Rowland as modified above discloses the system of claim 2, 
wherein said agents comprises a plurality of distributed agents/host local controllers and 
central system controller (fig. 9. #150 and #151-153). 

Regarding claim 4, Rowland as modified above discloses the system of claim 2, 
wherein said data collection means collects data representative of operation of said 
computer network, including respective nodes in said computer network, said data 
relating to communications, internal and external accesses, code execution functions, 
and/or network resource conditions of respective nodes in said computer network (col. 2 
lines 40-67, Rowland discloses the system coordinates information transfer with host. 
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multi-host and networl< environments to coordinate intrusion response... real-time 
monitoring of log audit files, port scan detection and session monitoring. Fig. 3 
demonstrates monitoring foreign domains). 

Regarding claim 5, Rowland as modified above discloses the system of claim 2, 
wherein said activity models characterize conditions within said computer network 
including behaviors, events, and/or functions of respective nodes of said computer 
network, said behaviors representative of said normal state and one or more abnormal 
states representative of suspicious activity in said computer network, (col. 2 lines 40-67 
disclose the intrusion detection system automatically and dynamically builds user profile 
data for each user that can be used to determine normal actions for each user to reduce 
the occurrence of false alarms... and fig. 2 shows monitoring suspicious events #15, 
known attacks, #12, known security violations, #13). 

Regarding claim 6, Rowland as modified above discloses the system of claim 2, further 
comprising means for characterizing the state of the computer network and identifying 
any potential threats based on said collected data (figs 4-5 disclose the user profile 
database and user database update function and the anomaly detection function). 

Regarding claim 7, Rowland as modified above discloses the system of claim 6, 
wherein said characterizing means further recommends remedial repair and/or recovery 
strategies to isolate and/or neutralize the identified potential threats to the computer 
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system (in tlie event of a detected threat the control is notified, fig. 5, #55, fig. 6, #85, 
fig. 7, #97; in fig. 8, determine and take appropriate action #127-136). 

Regarding claim 8, Rowland as modified above discloses the system of claim 2, 
wherein respective agents are connected by redundant communications connections 
(fig- 9). 

Regarding claim 9, Rowland as modified above discloses the system of claim 2, 
wherein each agent is implemented in redundant memory and hardware that is adapted 
to be insulated from infected components of said computer network (col. 2, lines 48-67). 

Regarding claim 10, Rowland as modified above discloses the system of claim 2, 
wherein the agents a plurality of agents are disposed in a hierarchical structure whereby 
communications from bottom level agents to agents at higher levels in the hierarchy are 
limited (fig. 9, local host controller, central system controller, network administrator). 

Regarding claim 1 1 , Rowland as modified above discloses the system of claim 2, further 
comprising means for predictively modeling the behavior of said computer network 
based on sequentially occurring behavior patterns in the data collected by said data 
collection means (col. 5, lines 30-35 and figs. 3-4). 
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Regarding claim 12, Rowland as modified above discloses the system of claim 2, 
wherein said comparing means comprises means for pattern matching collected data 
with data in said activity models to determine a closest activity model based upon 
similarity of the data in each data model with the collected data (col. 5, lines 30-35 and 
figs. 3-4). 

Regarding claim 13, Rowland as modified above discloses the system of claim 2, 
wherein the collected data represents actions of a virus, system responses to actions of 
a virus, actions of a hacker, system responses to actions of a hacl<er, threats directed to 
discrete objects in said computer network, and/or potential triggers of a virus or threat to 
said computer network (col. 6, lines 13-col. 7, line 40 and fig. 6). 

Regarding claim 14, Rowland as modified above discloses the system of claim 2, 
wherein said analyzing means for each agent filters and analyzes received data and 
dynamically redistributes the analyzed and filtered data to other agents associated with 
said each agent (col. 2, lines 50-66). 

Regarding claim 15, Rowland as modified above discloses the system of claim 2, 
wherein said analyzing means performs a pattern analysis on the collected data and 
said comparing means compares the results of the pattern analysis to the results of 
pattern matching by analyzing means of other agents to identify similar patterns of 
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suspicious activity in different portions of the computer network (col. 2, lines 50-66 and 
col. 5, lines 30-35 and figs. 3-4). 

Regarding claim 16, Rowland as modified above discloses the system of claim 2, 
wherein the comparing means compares names and email addresses in said collected 
data against known criminal, hoaxsters and/or aliases for known criminals and 
hoaxsters (col. 10, 27-35 and col. 6, lines 30-51, SMTP). 

Regarding claim 17, Rowland as modified above discloses the system of claim 2, further 
comprising a trusted server that receives attack data from a plurality of agents 
identifying abnormal states indicative of a network attack, said trusted server gathering 
the attack data and sending warnings to selected nodes in said computer network (fig. 
9, #150, central system controller). 

As per claim 18, this is a method version of the claimed system discussed above in 
claim 1 wherein all claimed limitations have also been addressed and/or cited as set 
forth above. 

Regarding claim 19, Rowland as modified above discloses the method of claim 18, 
wherein the agents reports any suspicious activity that exceeds a suspicion threshold 
(fig. 10 controls the intrusion detection system setup and determines the suspicion 
thresholds). 
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Regarding claim 20, Rowland as modified above discloses the method of claim 19, 
wherein the agents transmits said analyzed data in order to determine an origin of the 
suspicious activity in the computer network (col. 2 lines 40-67). 

Regarding claim 21 , Rowland as modified above discloses the method of claim 20, 
further comprising scanning said analyzed data for patterns and comparing said 
patterns to data representative of patterns of known threats to said computer network 
for identification of said suspicious activity (col. 5, lines 30-35 and figs. 3-4). 

Conclusion 

9. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 
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Any inquiry concerning tliis communication or earlier communications from the 
examiner should be directed to AUBREY H. WYSZYNSKI whose telephone number is 
(571)272-8155. The examiner can normally be reached on Monday - Thursday, and 
alternate Friday's. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571)272-381 1 . The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Aubrey H Wyszynski/ 
Examiner, Art Unit 2434 

/Kambiz Zand/ 

Supervisory Patent Examiner, Art Unit 2434 



